diff options
author | tv <tv@krebsco.de> | 2016-07-03 21:14:07 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-07-03 21:14:07 +0200 |
commit | b9531aec2e051913c04935f97bdff85aef4e7dbf (patch) | |
tree | dd52d1446be20fa00f88cfcc77b968d4db3f4d15 /tv | |
parent | 8f4742f184b7865bf3a29640d9a7cd480ad517d0 (diff) |
cd nginx: enable https
Diffstat (limited to 'tv')
-rw-r--r-- | tv/1systems/cd.nix | 52 |
1 files changed, 41 insertions, 11 deletions
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index a46edb4..75c1900 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -44,20 +44,50 @@ with config.krebs.lib; "cgit.cd.viljetic.de" ]; # TODO make public_html also available to cd, cd.retiolum (AKA default) - krebs.nginx.servers.public_html = { - server-names = singleton "cd.viljetic.de"; - locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - ''); + krebs.nginx.servers."https://viljetic.de" = { + server-names = singleton "viljetic.de"; + listen = mkForce []; # disable default + ssl = { + enable = true; + certificate = "/var/lib/acme/viljetic.de/fullchain.pem"; + certificate_key = "/var/lib/acme/viljetic.de/key.pem"; + }; + locations = [ + (nameValuePair "/" '' + root ${pkgs.viljetic-pages}; + '') + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; }; - krebs.nginx.servers.viljetic = { + krebs.nginx.servers."http://viljetic.de" = { server-names = singleton "viljetic.de"; - # TODO directly set root (instead via location) - locations = singleton (nameValuePair "/" '' - root ${pkgs.viljetic-pages}; - ''); + locations = [ + (nameValuePair "/.well-known/acme-challenge/" '' + root /var/lib/acme/challenges/viljetic.de/; + '') + (nameValuePair "/" '' + return 301 https://viljetic.de$request_uri; + '') + ]; + }; + security.acme = { + certs."viljetic.de" = { + email = "tomislav@viljetic.de"; + webroot = "/var/lib/acme/challenges/viljetic.de"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + user = "nginx"; + }; }; - tv.iptables.input-internet-accept-tcp = singleton "http"; + tv.iptables.input-internet-accept-tcp = [ + "http" + "https" + ]; } ]; |